Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"

The report doesn't say what kind of attacks, it could have been an attack on the secretary's computer. Here is what the report describes: "cyber attacks ranging from phishing to malware infection to un-friendly probes.....Much of this
activity is automated and dynamic in nature able to adapt to what is discovered during its probing process.” Someone is running nmap.

"Able to adapt" does suggest that an intelligent agent is behind it, but it's hard to know without more detail.

Stuxnet spread via USB sticks, and successfully 'cyber' attacked nuclear refinement systems that were not on the net.

These regulations (at least from what I'm familiar with from the nuclear end of things) cover a lot of human & portable equipment policy, and destroy I/O ports in non-connected equipment to try to eliminate potential attack vectors or non-policy human activity that might compromise security. It does go beyond simply unplugging CAT5 cables.

So you're comparing our electric grid to Iran? What you're talking about is a personnel training issue - it's entirely fixable without granting the government massive cyber surveillance powers (well more than they have already).

If a US power facility does not have policy covering portable storage media, then yes they would be as vulnerable to attack as the Iranian nuclear refinement facilities.

None of the things being discussed with this security in particular involves cyber surveillance powers; they're all about ensuring that the workers' goings on within a facility itself are in line with security, and that quick workarounds to get things done are not allowed to breach security protocol.

Not going to happen. The US, and other parts of the world, have been very Marie Antoinette about internet / technology literacy, and the implications of a populous dependent on using said devices where the culture is set to super-apathy mode. They just...they don't care, and the way things are setup, there is no way to make them care, until the inevitable something horrid happens to them, then it's "why can't you guys do anything about this?"

Consider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

onsider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

What if anything does this have to do with a cyber attack on the electrical grid?

keep in mind that the core infrastructure used by the power grid makes up a sizable chunk of the internet. not only is it used for commercial and residenrial Internet access but it is used for things like traffic light timing systems. with that in mind it can't just be unplugged. it has to br properly firewalled and segregated. hopefully that is being done and it has to be constantly monitored.

The electrical grid does not make up a sizable chunk of the internet. Sure there's connectivity between various electrical sites but that's on physically separate networks that without someone plugging the wrong cable in aren't going to be accessible from the internet. The problem is they've attached lots of the command and control nodes to the internet, but the core electrical infrastructure is not on the internet.

Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':

"Grid operations and control systems are increasingly automated, incorporate two - waycommunications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':

"Grid operations and control systems are increasingly automated, incorporate two - waycommunications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

So they took a critical system and connected it to every hacker and script kiddie on the planet, knowing that botnets endlessly test every IP address for vulnerabilities. And they complain about botnets testing the stuff THEY CONNECTED to the internet! WTF.

It's a case of incompetent sysadmins, couples to a self serving 'cyber-war' agenda on behalf of the people who should be advising them to disconnect them from the internet!

Something similar happened to me. I figured out that putting all my money in front of my door would be quite useful because I'd just take some of it when I leave the house, and I don't need my money inside anyway. However as soon as I did so, people just started to take away my money lying there! Who would have thought that!

Try £10,000 on a box in the power station control room that's got "industrially secured" on the box. It's a firewall, fire blanket and fire extinguisher all rolled into one! It ticked all the checkboxes on the spec sheet. It cost £10,000. It's all we needed.

Except anyone can walk into the control room and push any buttons they like. There's even a USB interface on each PC.

Sure, this is not the grid (UK), it's the power generators. The grid is actually stuck 50 years in the past.

It sure is a good thing that we've been focusing our efforts on defense, rather than developing sophisticated attack toolkits and releasing them into the wild where they definitely won't get reverse engineered and re-deployed...

(1) It costs money
(2) There is no measurable profit
(3) There is no measurable increase in productivity
(4) There is no measurable increase in share price
(5) The bozos who make the decisions usually don't understand the issues anyway

Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

Your conclusion is probably right, but one workaround would be for Congress to grant the utilities big bucks to fix it, whereupon entrepreneurs with solutions (and con artists with "solutions") would pop up all over. That would take care of (1), (2), and (4).

Not sure I like that suggestion, but admittedly it is in our national interest to do something about it.

I vaguely remember reading that our national grids are a mere hop and a skip of the Grim Reaper, even without cyberattacks.

(0) We have laws that criminalize the breach of ToS-es, so it's no longer our problem... we have 3-letter-agencies and US Attorney Carmen M. Ortiz to protect us.Our mission is not security but to make profits (e.g. externalize costs, avoid taxes, etc; if it would lead to increase profits, we'll even lobby the Congress to repel the Law of gravitational attraction)

(1) It costs money
(2) There is no measurable profit
(3) There is no measurable increase in productivity
(4) There is no measurable increase in share price

Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

There IS measurable profit and increase in productivity, which will lead to increase in share price.
Once you realize a grid is down, and you are losing money to a preventable issue, you will be able to determine the cost.
Of course this is reactive thinking instead of forward thinking, something only money grubbing corps do.
Productivity is increased or recoupped because you arent hiring people to chase after viruses, paying OT to people fixing something in the middle of the night, and losing time on their

Take, for example, the latest hurricanes on the east coast. Or better 'snow on the trees' of 2012 fame.Lots of trees came down. Fell on power lines, cut power to my neighbourhood for a week. Hurricane sandy was 2-to-3-weeks for most in my area.

One assumes they lost a shedload of business during that period, but until $lost-for-not-providing-power > the cost of *burying the damn power lines* it won't happen.They beg and whine and moan at the state for money to perform the stupid

When I was a kid in the 1970s Detroit Edison did a study and found that it would cost half a million dollars to bury the power lines in a certain area, so the idea was shelved. Coincidentally the very next day an ice storm caused three quarters of a million in damage to that same area. They fixed the overhead lines and then left them that way for the next decade at least.

Very true
This was my experience with the Y2K program. I looked at what was being done and commented that it wasn't addressing the whole issue. The response: "We need to look like we are being seen to be doing the right thing so we cannot be sued for negligence" rather than actually putting in a technically correct solution.

Hence why the for-profit utilities have far lower security compliance rates than the government run ones. Unless you start micromanaging penalty structures (while various political parties try and poke holes in them) the cheapest way to run something is rarely the way that is in the best interest of the general public, and business selection pressure is always to the cheapest way. It's no good saying "oh, but when the utilities that do not implement security fail, people will stop paying them!", that's clos

Actually most of the equipment covered under NERC is custom embedded firmware. An air gap in this case is actually highly effective. In order to install a Trojan you need to access one of about 5,000 computers run by a select few people and trick them into installing a new firmware version on a proprietary system. Firmware updates are fairly uncommon, and take a lot of time with these systems (typically 9600 baud through a serial port). To do this automatically behind the users back would be highly unli

Since always. "Airgap" is a anachronistic term that originated before the proliferation of wireless networks. If it's physically possible from a signal to get between the internal and external networks you don't have an airgap. And yes that pretty much means that, actual air aside, if you have a wireless internal network outside of a secure faraday cage you *don't* have an airgap.

The report mentions there has not been a single instance of damage caused by cyber-attacks.

There has been damage, however, " the only physical attacks
experienced
on their
systems
seemed linked to acts of vandalism and thefts of copper. Most incidents appeared unrelated to terrorism. However, one federal entity that owns a major piece of the bulk power system reported a Molotov cocktail was thrown at a dam."

Drunk kids having a little fun. Basically... all kids are terrors in one way or another. Too bad we've moved way beyond imposing a fine, a stern talking to, and maybe a few hours picking up garbage on the freeway.

If the only "terrorists" we have to worry about are idiots stupid enough to throw a molotov cocktail on a dam as though that would actually hurt anything then there's not much point in defending against them. Frankly though I don't think terrorists are the problem. Realistically, when has a terrorist caused much more than an inconvenience and a few days of overdramatic journalism. 9/11? More deaths and property damage occur via bad luck and stupidity in any 24-hour window. The only thing that made it not

I think the parents point was that they were probably just some kids, not terrorists. I recall as a kid playing with fire, my friends and I would deliberately chose large relatively impervious cement structures like those big stome drain tubes etc because we could be pretty certain we would do no damage to them, and there would be nothing flammable near by for fire to spread to.

If you want see what a molatove cocktail will do, throwing agaist the side of a big concrete damn is probably about the safest pla

Your conclusion is probably right, but the decision will be for Congress to give a lot of money to solve, why entrepreneurs and their solutions (and crooks "Decision"), pop-up everywhere. Care should be taken (1), (2) and (4).
Not sure I like this proposal, but really in our national interest to do something about it.
I vaguely remember reading that our national network are just a hop and a jump from the mower, even without the cyber attacks.
By Hi-Tech ITO

At the opportune moment the President of the United States of America will issue an order to destroy the power grids across the contiguous USA and the killing of the executive staffs of the companies in charge. This operation will take approximates 15 minutes to accomplish give pre-positioning of assets.

I would have thought you were Glenn Beck for a moment except you didn't frame your paranoia as a question...

I worked on some of the software that manages the bidding and load-balancing of the grid that powers much of the US and some smaller portions of the world. I have to say that it, by far, was some of the worst software I have ever seen in my life. Spaghetti like you wouldn't believe. To be clear, it wasn't the code that actually ran the grid, but it told the grid the optimal way to run at certain times.Bug fixes were "fixed" by - how to say it - filtering existing code. We weren't allowed to change existing

Out here in "flyover country" we have storms, tornadoes, lightning, wind, ice, and snow. Power outages, while not all that common, are just something we have to deal with. I see big diesel or natural gas generators outside every government building and most businesses. A lot of homeowners I know have their own portable generators. When storms come through someone inevitably loses power, it happens. It can take a few hours to get fixed, in rare and extreme cases it can take days. Life goes on.

If you can trigger a cascade failure, you could black out a state for days. It's happened by accident before.

It'd have to be an inside job, though. Even if someone outside could compromise the security, only someone with very precise knowledge of how the grid is build could pull off a cascade failure. Not just how it's designed, but how all those really tidy schematics translate to the real equipment - only someone who works with it would know, for example, if a breaker rated for 65A is going to trip reliab

Heck, I suffered multi-hour power outages several times near downtown Denver over the course of a couple years. Shit happens, people deal with it. So long as nobody manages to blow anything up it's just a nuisance. And an excuse to eat all that ice-cream in the freezer, just in case.

What you should be worried about are the things they don't think about (usually because someone says it's impossible). What happens to a turbine if power is input and no power is output? Often they spin out of spec and can destroy themselves. So target plants to destroy the generators themselves. Those are harder to repair/replace, and take out enough, and you'll have rolling blackouts for months.

OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.

The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.

That OMNI article may be the first "How can I unknow this?" moment of my literate life.

1. Google maps reveals power lines.2. Minions take angle grinders to pylons at agreed times.3. Minions run to another location before anyone arrives to investigate.

One team of minions could trash many pylons before being caught, and a toppled-over pylon would take days to re-erect even if every shortcut was taken in construction. No rare or expensive resources required.

Funny you mention that, because police here in Canada have been warned to watch for natives doing this in order to disrupt the country. It's been an on-going warning since the 1980's.

This is what I came to say, not this specific thing, but that it's bullshit. How the hell do you watch for people doing this? For that matter, you don't even need an angle grinder, just a hack saw. It would take a long time, but it's much easier to conceal and a lot lighter to carry around. The truth is that most of our cities get power through just one or two points and it would be easy to disrupt them, but nobody is actually even trying. We know nobody is trying because of how pathetically easy it would b

Fuck wasting time on pylons shoot some of the large transformers at a substation with a rifle. If you can't find a substation to shoot transformers in then shoot some of the pole pigs. Google maps also reveals where sub stations are. As an added bonus you can shoot a transformer from a greater distance than taking an angle grinder to a pylon not to mention the time difference between the 2 options.

It was a fictional story that was mainly worst-case (with some not-quite-worst-case thrown in so that anyone who claimed it was "worst case" could be rebutted). Yes, there are vulnerable parts of electrical generation/distribution. But the "real" terrorists have never targeted hidden infrastructure. They could do more damage with a bomb in a transformer station, but would rather blow up in a marketplace. Even in war, there have been suspected saboteurs, and they never caused significant damage.

Human Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for the central control of a distributed industrial control system. Just one of our licenses controlled a giant automobile assembly plant from a single PC, that if I understand correctly turned out a new pickup truck every fifteen seconds.

If you're going to attack a nation's power grid, you attack that power grid's HMI / SCADA installations. That's easier to do than you think, because remote installations are often

This report actually tells that with a few exceptions, the grid is protected in the way that federal regulations require. It then goes on to say that federal regulations are not strict enough. It comes up with "tens of thousands of attacks" where everyone that knows what this is about will know that these are a few standard port scans. If you count every package as a single attack, you'll get into big numbers easily. It claims destruction of tens of thousands of hard drives at an Arab oil company, while in

The biggest actual threat the report can come up with is physical damage to large distribution station transformers. To damage these, physical action, not cyber, will have to be taken.

If one manages to turn on and off sufficient load in a synchronous fashion, (5 secs on, 5secs off, repeat.) it will cause the power companies turbines and generators to literally leap off their foundations and self destruct.

This destructive act could be accomplished by hacking the substations or by taking control of a sufficient number of Smart meters with remote service interruption capability.

I remember an 80's movie called Prime Risk where some girl is working on an ATM hack then realises terrorists are already in the system planning to blow up key data nodes to bring the banking system to its knees. Iliked it because she used an Atari 800/810 disk drive for everything but it was still an OK film from memory.

The 10000 attempted attacks per month is the CIO's way of justifying their core firewall. Every SYN packet that hits port 22 is an attempted attack.

You see, they need big scary numbers to justify to the CFO why they need a maintenance contract on their overpriced Cisco what-cha-ma-call-it doothingy that separates their network from the wild and caa-razy internet. "10000 attempts?!? Wow! Good job, Biff. Here's your budget."

I read a book by Tom Clancy once that ended with a plane crashing into the Capital Building....years later we had 9/11. I have recently read several books that had subplots of the Chinese hacking our infrastructure. Power, Water and Nuclear. It seems to me that fiction can be turned into reality someone really grabs an idea... It almost makes you want to buy a generator and a pallet of water.... History has shown us that the U.S, Government is reactive not proactive to these type of problems.

No Industrial Controller should ever be connected to the internet.
This security problem applies to all Manufacturing, Chemical, Pharmaceutical, and Power industries.

When multiple sites need to be connected, they should use a Serial Dial-up or Leased Line connection
or a VPN bridge that cannot respond to any Internet requests that do not originate from the VPN.
DDOS attacks against the VPN nodes should only be able to disconnect the controller networks
at which point a fallback Dial-up connection will ta

The ugliest humans I have ever seenugly on the inside type are in congress. And I give no quarter to anything that comes from there. After anything they say has been reviewed then we will see what is really going on.

This "Cyber" buzzword sounds über-cool, I have to admit it.Very 80's and 90's cool with all these Tron guys and Wargames (the movie).

But WTF? We are in 2013 already, who the heck still believes that you can "attack" a WAN or a network that's not even on the internet from the internet?

It's the new "War On Drugs" making a problem were it didn't exist and in this case the threat itself is so vague and abstract that the common people has no way to know even if any halfwitted IT guy can tell it's all plain

Just to support c0lo's point - all the anti-terrorism/anti-cyberwarfare mandates in the universe aren't worth a sneeze in a hurricane *after* a massivle distributed zombie attack has been initiated. Hell, you could nuke half the planet and the remaining machines would still probably be more than enough to cripple the target. Now maybe the tinfoil hatters are right and 9/11 was known about well beforehand and allowed/encouraged to happen for political reasons. We'd better pray that they are, because physi

Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?

Still not a problem...and here's why: things change when it becomes about nations. Espionage doesn't have an IP address, and neither does terrorism. Countries are already quite used to using a wide variety of both tactics and sources of information to find out who is behind a certain act even when those who commit the act take technical measures to mask their identity, nationality, and location. If anything, the connected nature of cyber attacks makes it easier to track them, even though you cannot trust

It could even keep a local part of the grid up while all others around them suffer power failures.

And that is a BIG no-no. Because it kills linemen trying to fix the outage.

Those transformers work both ways. Your little generator or inverter gets stepped up to maybe 8,000 or 12,000 volts. Then a lineman who thinks the power is down brushes against a wire (or comes within a quarter-inch of it) and is "burned" - to death.

Grid-connected inverters with a "sell" feature MUST monitor the network and shut down if they detect islanding - being cut off from the grid, with one or a collection of generators running autonomously. It's perfectly OK to feed power into the grid when it's up (if you're using UL approved equipment, connected according to code, inspected for compliance, and the utility knows you're doing it according to the rules.) It's perfectly OK to have things wired so your equipment still feed your house if the grid goes down, but it MUST cut itself off from the dying or dead grid and stay off until the grid comes back up and stabilizes at the nominal voltage and frequency.

I've never seen "licensed" grid tie systems that didn't do what you describe. Though there are plenty of "kits" that will happily let you kill yourself or linemen, but they are never certified and any licensed electrician wouldn't install them. They are pretty cheap. The expense in the grid tie systems is the batteries, which are necessary for most systems to get the results the buyer expects.

I've never seen "licensed" grid tie systems that didn't do what you describe.

And you won't: They can't be "licenced" if they don't do this.

About the only way you can feed the grid legitimately without such a device is by pushing on an induction motor (as happens sometimes in normal applications, like with a mo-gen system for an electric elevator when the elevator is being slowed down.) Induction motors depend on the grid for excitation and won't self-generate unless you've got enough capacitors hung acros

Do you really think linemen are morons? What, do you think they turn the power off to work on the lines? You think they bet their asses that the circuit is cold and going to stay that way? You don't touch bare wiring in anything without assuming it will kill you and taking the appropriate caution. And trust me. Linemen don't accidentally brush up against wires. Doling so in that line of work can be deadly and will get you fired to save your life and those you work with.